How do you compare PKCE with other OAuth 2.0 security enhancements or alternatives?

2 What is JWT?

JWT stands for JSON Web Token, and it is a standard format for representing claims or information securely between two parties. JWT can be used as an alternative to opaque access tokens in OAuth 2.0, as they allow the client and the resource server to verify the authenticity and integrity of the token without contacting the authorization server. JWT can also carry additional information about the user, the scope, the expiration, and other attributes of the token, which can reduce the need for additional requests or database queries. However, JWT also has some drawbacks, such as being vulnerable to replay attacks, requiring more storage and bandwidth, and being harder to revoke or refresh.

3 What is OpenID Connect?

OpenID Connect is an identity layer on top of OAuth 2.0, that provides a standardized way for clients to obtain and verify the identity of the user, as well as access tokens for accessing protected resources. OpenID Connect uses JWT as ID tokens, which contain information about the user's authentication and profile. OpenID Connect also defines additional endpoints and flows for obtaining and refreshing ID tokens and access tokens, as well as discovery and registration mechanisms for clients and providers. OpenID Connect can enhance the security and usability of OAuth 2.0, by enabling single sign-on, federated identity, and user consent.

4 How to compare PKCE with JWT and OpenID Connect?

PKCE, JWT, and OpenID Connect are not mutually exclusive, but rather complementary solutions for different aspects of OAuth 2.0 security. PKCE is mainly focused on preventing authorization code interception attacks, which are relevant for public clients that use the authorization code grant flow. JWT is mainly focused on representing and validating access tokens, which are relevant for any client that needs to access protected resources. OpenID Connect is mainly focused on providing and verifying user identity, which is relevant for any client that needs to authenticate the user and obtain user information. Depending on your application's requirements and scenarios, you might need to use one or more of these security enhancements or alternatives, or combine them with other best practices, such as HTTPS, state parameters, and token revocation.

5 What are the benefits of using PKCE?

Using PKCE can provide several benefits for your application's security and performance, such as reducing the risk of authorization code interception attacks and enabling the use of the authorization code grant flow for public clients. Additionally, PKCE simplifies the implementation and configuration of your client, as you do not need to store or manage a client secret. This can also improve the user experience and network efficiency, as you do not need to redirect the user multiple times or make additional requests to obtain an access token.

6 What are the challenges of using PKCE?

Using PKCE can also present some difficulties for your application's development and maintenance, such as increasing the complexity of your authorization request and response, needing the support of the authorization server and client library, and limiting the compatibility with other OAuth 2.0 extensions or protocols. Generating and verifying the code verifier and code challenge is necessary, and it might not be compatible with your infrastructure or tools. Additionally, JWT or OpenID Connect might have different requirements for the authorization code grant flow which can conflict with PKCE.

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?